The Ashley Madison hack and healthcare

Standard

I was really hesitant to write anything about this topic at all, but a recent article in Gizmodo convinced me that there is something really critical here to be discussed. Yes, I am talking about the Ashley Madison data hack and its implications for the healthcare industry.

What do we know so far? Well, we know that there were approximately 35 million records dumped onto the “dark web” and that within that data was quite a bit of information. In fact, I’ve recently seen a sampling of that data including addresses and names and it’s frankly startling to see someone you know show up on the list. I don’t recommend it.

What I don’t know is anything other than the limited data that I’ve seen and what is presented by what I hope are reputable sources. What I present here is not presently vetted as it would be quite an undertaking to do so on my own. I’m hoping by publishing through this medium (heh — get it!) that we might be able to get some clarification on this topic and to help me with my own thoughts about how this impacts the healthcare industry.

First, let’s talk about privacy versus security

There is a certain amount of privacy that one should expect when engaging with a site that purports to maintain a secret for you, or to help you evade telling the truth. Privacy is “the state or condition of being free from being observed or disturbed by other people.” In contrast, security is “ the state of being free from danger or threat.” There is a nuance to the interplay between these two, but they are absolutely distinct.

In the healthcare industry, we’re well aware of the difference between these two things — or at least we should be. But all too often we confuse the strictures of HIPAA as being about privacy. That’s not inherently true. HIPAA is the Health Insurance Portability and Accountability Act. It’s about security, not necessarily privacy. In fact, HIPAA even covers how healthcare entities should handle informing their patients on how things are handled with regards to privacy because HIPAA doesn’t specifically provide for them. The “P” throws everyone off.

In fact, your Private Health Information (PHI) likely moves around the system in all kinds of ways that you may not realize. When you are seen for a service, your information probably goes to a payer on a claim form. That claim form may be accompanied by clinical documentation that may go to a Managed Care company. Your data ends up going through all kinds of people that you don’t explicitly give your permission to. All KINDS of people.

But just because your information is being moved from company to company, person to person, doesn’t mean your information isn’t secure. Most of the time, the system works just fine. Other times, you run into a problem like Anthem had where a breach in their IT structures resulted in a massive data leak. In such cases, there are actual federal guidelines as to how that breach is handled that are clearly defined. And those breaches are very expensive to the healthcare company.

The reason for that is that PHI can sometimes be more difficult to protect oneself in a breach than, say, your financial information. Because there is no national ID for the healthcare system, often a Social Security Number is used for transactions between systems. While an insurer might also provide you with an individual ID for their internal systems, for those data to move between entities, you have to use an SSN.

But even SSN can be protected against a breach with credit monitoring when it comes to your financial information. What is a little different about PHI is that it can contain deeply personal information about the individual such as diagnoses, current or past treatment, and even likelihood for future diagnoses when it comes to genetic information. Your genome can’t be changed like your SSN or bank account information. That’s all yours.

Let’s bring it back to Ashley Madison

What did Ashley Madison actually promise, then?

Ashley Madison is the most famous name in infidelity and married dating. As seen on Hannity, Howard Stern, TIME, BusinessWeek, Sports Illustrated, Maxim, USA Today. Ashley Madison is the most recognized and reputable married dating company. Our Married Dating Services for Married individuals Work. Ashley Madison is the most successful website for finding an affair and cheating partners. Have an Affair today on Ashley Madison. Thousands of cheating wivesand cheating husbands signup everyday looking for an affair. We are the most famous website for discreet encounters between married individuals. Married Dating has never been easier. With Our affair guarantee package we guarantee you will find the perfect affair partner. Sign up for Free today.

We can discuss the morality behind the purpose of the site all day long, but the site exists and people signed up for it. So let’s just move on past that topic and dig into how this is relevant to our purpose here.

After looking at the data from Annalee Newitz’s article, there’s clearly something else going on here. There are not a ton of married people who are successful in cheating on their spouses. There are a ton of married men who are flirting with the idea of cheating on their spouses.

The societal impact of the hack

Well, we know that Josh Duggar admitted to cheating on his wife andentering rehab after the hack was announced and that he was on the list. I haven’t seen that he successfully met anyone on the site, but looking at the numbers in the Gizmodo article, I’m going to guess not. And there arereports that there may be suicides that have been linked to the hack. And there has even been reporting on the pervasiveness of the use of the site by federal employees.

So, we’re seeing some significant potential impact of the site across many walks of life and affecting many groups throughout the world, in fact. But again, going back to the numbers, this probably isn’t nearly the situation that we think it is.

Let’s focus on the men that were probably brought to this site, since the Gizmodo article all but dismisses the women that were on the site — especially after highlighting that a number of those women could have been checking for cheating spouses, rather than looking to cheat.

There is the issue of Ashley Madison’s promise to its users. That it would allow for discretion in cheating. That’s a privacy promise in my opinion, and not necessarily a security one. Would one assume that their information was being secured as well? Maybe, but I don’t think that’s inherent to their brand promise. Again, I haven’t dug into the language of their policy yet — this is a working document — but there was going to be no protection when you moved from the online world to the offline world anyhow, so how one could have reasonably expected security is beyond me.

You’ll have to draw your own line as to what is considered cheating and what is not, but most of these individuals that were active on the site were more than likely talking to robots. Those that weren’t may have been casually flirting. And of those left, well, I’ll just say the proportions would show that likely if anyone was successful in cheating, they were probably 4th or 5th in line in their area.

For the first two categories, you were made a promise by Ashley Madison and you were either duped or you got exactly what you needed. If you expected you would actually find an affair, the first category; if you were looking for an outlet that let you flirt, you probably got a robot and received exactly what you needed from the site.

What this means for healthcare

Does or would the Ashley Madison hack have an effect on healthcare more broadly? I don’t know. There’s certainly a couple of considerations here.

Does this inherently decrease the public’s trust of the internet and data security generally? I hope not. You should absolutely be concerned about security, but let’s be honest — Ashley Madison is not the healthcare industry, it’s a site for people wanting to cheat. There’s an inherent, goal-oriented difference between the two, we’ll call them, “industries.”

Does the new data lessen the impact that the hack actually has on the greater societal opinion surrounding the fear of data integrity? Probably, but it really shouldn’t. This still highlights a critical misunderstanding that we have about our data and how it gets used. That’s no less true in the healthcare industry as I’ve pointed out above.

Will it change the way that healthcare handles data? I cannot imagine it would. Your data is being protected pretty well already, but this type of hack is the result of something far different than why someone would go after healthcare — that’s largely financial.

Is the Ashley Madison hack still relevant? You bet your sweet you know what it is! We’re entering a new phase in the healthcare industry’s development where you as a consumer are going to be able to make more decisions about the way in which you interface with that system. That means you have more control over who is getting your data initially, and within the new Health Information Exchange models set up in each state, maybe even after your initial input of data. Some systems are prepared to share data down to very granular levels. That means you will have to make some decisions about how you want your information to be shared.

Does this mean you shouldn’t share your data? I wouldn’t go that far. Your data, if properly secured, doesn’t need to be private from legitimate sources in the healthcare industry. That data can be very important for medical advancement for one. But there is also a possibility that your information can help providers make better decisions to help you in making decisions about your own healthcare.

Health inSite: Privacy, Security, and “What’s with my damn data!”

Standard

I will be moderating a tweet chat on May 16th with the crew that participates in #HITsm (Health Information Technology / Social Media) and thought I’d go ahead and post those here for anyone else that might be interested or wanted a teaser for that chat.

These topics will be cross-posted on the HL7 Blog for TweetChats closer to the event.

We live in a data-damp world.  While we’ve always generated tons of data, never has it ever been so catalogued and retrievable.  We have begun a shift in our willingness to allow outside groups to do this for us in some cases, for example, in cloud-based applications, social networks, and the like.  It’s not true for everyone, but there’s no question there’s a shift in our culture toward allowing more of this.

#HITsm T1: Is releasing more a/b ourselves an increase in trust, or risk-taking? Is that a positive thing? How is it impacting healthcare?

Some might make the case (myself included) that this is a positive thing as we continue to share ourselves in a way that allows our impact on each others’ decision-making to become more transparent (blog posting) and potentially affect-able.

#HITsm T2: What is the balance between transparency and privacy/security that makes sense when it comes to healthcare? How?

Twitter Head of Safety, Del Harvey (@delbius), recently gave a TEDtalk about how the scale of Twitter requires significant considerations in how Twitter protects its users, in many cases, from themselves.  For example, Twitter made the decision to remove geo-tagging meta-data from photos that are posted to Twitter to ensure that users could not be tracked live as they posted information.

#HITsm T3: What patient data in healthcare may be innately helpful or harmful to safety/security, known or unknown? Examples?

If we accept the premise that some information should be shared for the benefit of the social network (friends, family, neighbors, etc.) in terms of how behaviors affect the health and wellbeing of all who access the healthcare system (effectively all citizens under the Affordable Care Act), who should set what/where/how that information should be shared?

#HITsm T4: Who should control access to data re: healthcare info? Should there be suggested min. shared data? What parallel models exist?

In a somewhat humorous interview with former NSA chief Keith Alexander on his HBO show “Last Week Tonight,” John Oliver asked if recent outcry regarding privacy among the US population was simply a branding issue for the NSA to which there was some assent from the former head.  Sarcasm aside: there may be value in rebranding the healthcare system to focus on increasing sharing to leverage shared health decision-making.

#HITsm T5: If we want to increase sharing data to leverage shared #HC decision-making, how can #HealthIT and #SoMe help?

Have thoughts you want to share? Feel free to comment below!

To our health,

Ryan Lucas
Manager, Engagement & Development
Follow me on twitter: @dz45tr

Health inSite: Decisions and Privacy

Standard

There is a shift in healthcare related to our concept of privacy that is sorely needed – and it’s probably a little different than what you’ve heard from a lot of groups/people around the web.

We need to stop thinking about healthcare as a private thing.

As far as information about us, it’s simply no longer acceptable to consider our lives as private.  Not in a time where we actually understand our social network to such a degree that we can accurately and effectively map our connections in the social network (not like Facebook but friends, family, co-workers, neighbors, and the ‘guy at the gym’) and understand how we consciously and unconsciously make decisions about how we behave.  These behavioral changes manifest in health outcomes and as we move to a healthcare system (rather than a sickcare system) what you do is what you are – or more precisely what you are going to become.  Now, I’m not saying you shouldn’t be protected from abuse or discrimination or anything like that, but functionally, your decisions every single day are going to have an impact on more than just you; you owe some accountability to your social network (and they to you) as to what your decisions are doing every day, because Community is the Key to Health.

You may not know it yet, but what you decided to eat for lunch today (if you ate lunch today – and for some of you that might not even be the case) was decided long before you actually ate your lunch.  Here’s a non-exhaustive list of the ways in which this decision was made before you actually ate it:

Schedule: The structure of your day had an impact on what you ate for lunch.  Did you have a co-occurring meeting and therefore ate a “bagged lunch?” Did you have a meal prepared ahead of time – and if not did you have to throw a lunch together this morning before leaving, or did it force you to “forage” for a lunch?

Environment: Consider how the environment surrounding your lunch impacts your lunch decision. Did you run out for lunch because you needed some fresh air or a break from the office?  Do you have a place where you regularly eat lunch and therefore have a system for preparing for that meal each day – conversely, did that get interrupted for this particular lunch by environmental impacts like bad weather or the space itself was occupied in a way that prevented you from following that regular schedule?

Social Impact: For some, eating lunch is a social activity.  Do you have a regularly scheduled lunch partner? Was that true today?

Resources: Money and time as resources have an impact on the structure of lunch.  How do you use these resources in an intentional way related to your lunch habit? Do you spend money at a restaurant / court / vending machine each day or bring your lunch?  Do you have the resources of time and money to prepare ahead or use those resources to forgo preparing ahead?

And let me tell ya’, this isn’t even the beginning of the ways that this could be further expanded.  Think about all of the ways that a single meal is planned and replicate that process for each decision you make today.  Exercise, nutrition, social activities, occupational activities, mindfulness activities, financial decisions, personal intellectual development, etc. etc. etc.

Now think about this: why did you make those decisions?  Consciously or not, you may have made those decisions because of someone else.  Did your partner pack your lunch and therefore help to make the decision of what you’re eating – or was shopping not prepared in a way to pack that lunch in the preferred way?  How much of your diet is based on someone else’s decision?  Maybe your doctor suggested a change in your diet?  Maybe you or a family member has a dietary restriction that changes your diet on a daily basis.  In the case of a family member’s restriction, maybe your lunch is the time when that restriction doesn’t apply to your personal diet?

Lastly consider this: Can you push yourself to make a given decision either by limiting or adding options?  Can you change the options you have available at the point of decision-making with a little bit of foresight?  Try to find one example of a way that you can “pre-decide” by removing the alternative option.  Maybe one of the questions above can be flipped to help you make a “pre-decision” that will help you make a single, healthier decision this week – even if it’s only once.  You might find it’s pretty easy to do and may be a powerful way to change your behavior in a positive way.  And then consider the flip-side of this.  How can you help someone else through a “pre-decision” that helps someone in your social network make a decision that is healthier for them?

Here’s what I’m saying, and to slightly alter a quote from Cloud Atlas:

Our health is not our own. We are bound to others, near and far, and by each decision and every sharing of those decisions, we birth our health.

It’s time for us to stop thinking that we are fully separate members of society that don’t have an impact on others and start being accountable to one another for how the decisions we make impact others – and vice versa.  Yes, even in health.

To our health,

Ryan Lucas
Manager, Engagement & Development
Follow me on twitter: @dz45tr